Lucene search
K
NucleiMost viewed

4136 matches found

Nuclei
Nuclei
added 18 hours ago60 views

DomainMOD 4.11.01 - Cross-Site Scripting

DomainMOD 4.11.01 contains a cross-site scripting vulnerability via /admin/ssl-fields/add.php Display Name, Description & Notes field parameters. id: CVE-2018-19751 info: name: DomainMOD 4.11.01 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD 4.11.01 contains...

4.8CVSS6.2AI score0.03316EPSS
Exploits6References4
Nuclei
Nuclei
added 18 hours ago60 views

Tiki Wiki CMS Groupware 5.2 - Local File Inclusion

Tiki Wiki CMS Groupware 5.2 is susceptible to a local file inclusion vulnerability. id: CVE-2010-4239 info: name: Tiki Wiki CMS Groupware 5.2 - Local File Inclusion author: 0xakoko severity: critical description: Tiki Wiki CMS Groupware 5.2 is susceptible to a local file inclusion vulnerability...

9.8CVSS7.2AI score0.1343EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago60 views

WordPress JNews Theme <8.0.6 - Cross-Site Scripting

WordPress JNews theme before 8.0.6 contains a reflected cross-site scripting vulnerability. It does not sanitize the catid parameter in the POST request /?ajax-request=jnews with action=jnewsbuildmegacategory. id: CVE-2021-24342 info: name: WordPress JNews Theme =8.0.6 to mitigate the XSS...

6.1CVSS6.3AI score0.01975EPSS
Exploits2References4
Nuclei
Nuclei
added 18 hours ago60 views

Proxmox - CRLF Injection

A response-header CRLF injection vulnerability in the Proxmox Virtual Environment PVE and Proxmox Mail Gateway PMG web interface allows a remote attacker to set cookies for a victim's browser that are longer than the server expects, causing a client-side DoS. This affects Chromium-based browsers...

7.1CVSS7.1AI score0.0138EPSS
Exploits1References3
Nuclei
Nuclei
added 18 hours ago60 views

Exrick XMall - SQL Injection

XMall v1.1 was discovered to contain a SQL injection vulnerability via the 'orderDir' parameter. id: CVE-2024-24112 info: name: Exrick XMall - SQL Injection author: DhiyaneshDk severity: critical description: | XMall v1.1 was discovered to contain a SQL injection vulnerability via the 'orderDir'...

9.8CVSS7.2AI score0.03348EPSS
Exploits1References2
Nuclei
Nuclei
added 18 hours ago60 views

BigAnt Server v5.6.06 - Local File Inclusion

BigAnt Server v5.6.06 is vulnerable to local file inclusion. id: CVE-2022-23347 info: name: BigAnt Server v5.6.06 - Local File Inclusion author: 0xAkoko severity: high description: BigAnt Server v5.6.06 is vulnerable to local file inclusion. impact: | Successful exploitation of this vulnerability...

7.5CVSS7AI score0.13121EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago60 views

TOTOLink - Unauthenticated Command Injection

TOTOLink A950RG V5.9c.4050B20190424 and V4.1.2cu.5204B20210112 were discovered to contain a command injection vulnerability in the Main function. This vulnerability allows attackers to execute arbitrary commands via the QUERYSTRING parameter. id: CVE-2022-25082 info: name: TOTOLink -...

9.8CVSS7.4AI score0.16089EPSS
Exploits1References3
Nuclei
Nuclei
added 18 hours ago60 views

School Dormitory Management System 1.0 - Authenticated Cross-Site Scripting

School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability in admin/inc/navigation.php:126. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-base...

6.1CVSS6.4AI score0.03345EPSS
Exploits2References5
Nuclei
Nuclei
added 18 hours ago60 views

PowerJob <=4.3.2 - Unauthenticated Access

PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface. id: CVE-2023-29923 info: name: PowerJob =4.3.2 - Unauthenticated Access author: For3stCo1d severity: medium description: | PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface. impact: ...

5.3CVSS6.1AI score0.09545EPSS
Exploits2References5
Nuclei
Nuclei
added 18 hours ago60 views

WordPress Guppy <=1.1 - Information Disclosure

WordPress Guppy plugin through 1.1 is susceptible to an API disclosure vulnerability. This can allow an attacker to obtain all user IDs and then use them to make API requests to get messages sent between users and/or send messages posing as one user to another. id: CVE-2021-24997 info: name:...

6.5CVSS6.6AI score0.02753EPSS
Exploits2References5
Nuclei
Nuclei
added 18 hours ago60 views

PHPJabbers Ticket Support Script v3.2 - Cross-Site Scripting

There is a Cross Site Scripting XSS vulnerability in the message parameter of index.php in PHPJabbers Ticket Support Script v3.2. id: CVE-2023-40753 info: name: PHPJabbers Ticket Support Script v3.2 - Cross-Site Scripting author: ritikchaddha severity: medium description: | There is a Cross Site...

5.4CVSS6.1AI score0.01053EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday60 views

mojoPortal 2.7.0.0 - Cross-Site Scripting

mojoPortal 2.7.0.0 contains a cross-site scripting vulnerability in the FileDialog.aspx component, which can allow an attacker to execute arbitrary web scripts or HTML via a crafted payload injected into the ed and tbi parameters. id: CVE-2023-24322 info: name: mojoPortal 2.7.0.0 - Cross-Site...

6.1CVSS6.5AI score0.31714EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday60 views

MCMS 5.2.4 - SQL Injection

MCMS 5.2.4 contains a SQL injection vulnerability via search.do in the file /mdiy/dict/listExcludeApp. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. id: CVE-2022-25125 info: name: MCMS...

9.8CVSS7.3AI score0.07173EPSS
Exploits1References3
Nuclei
Nuclei
added 2 days ago60 views

Apache APISIX - Insufficiently Protected Credentials

Apache APISIX 1.2, 1.3, 1.4, and 1.5 is susceptible to insufficiently protected credentials. An attacker can enable the Admin API and delete the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. id: CVE-2020-13945 info: name: Apache...

6.5CVSS6.9AI score0.72976EPSS
Exploits5References5
Nuclei
Nuclei
added 2 days ago60 views

Homematic CCU3 - Local File Inclusion

eQ-3 AG Homematic CCU3 3.43.15 and earlier allows remote attackers to read arbitrary files of the device's filesystem, aka local file inclusion. This vulnerability can be exploited by unauthenticated attackers with access to the web interface. id: CVE-2019-9726 info: name: Homematic CCU3 - Local...

7.5CVSS7.2AI score0.15732EPSS
Exploits1References3
Nuclei
Nuclei
added 3 days ago60 views

SEOWON INTECH SLC-130 & SLR-120S - Unauthenticated Remote Code Execution

SEOWON INTECH SLC-130 and SLR-120S devices allow remote code execution via the ipAddr parameter to the systemlog.cgi page. id: CVE-2020-17456 info: name: SEOWON INTECH SLC-130 & SLR-120S - Unauthenticated Remote Code Execution author: gy741,edoardottt severity: critical description: SEOWON INTECH...

9.8CVSS8AI score0.71691EPSS
Exploits8References5
Nuclei
Nuclei
added 3 days ago60 views

AVTECH IP Camera - Command Injection

The endpoint /cgi-bin/supervisor/Factory.cgi is vulnerable to command injection via the action parameter, allowing remote code execution. id: CVE-2024-7029 info: name: AVTECH IP Camera - Command Injection author: DhiyaneshDK severity: high description: | The endpoint /cgi-bin/supervisor/Factory.c...

9.8CVSS7.6AI score0.38998EPSS
Exploits5References6
Nuclei
Nuclei
added 3 days ago60 views

NetAlert X - Arbitary File Read

A directory traversal vulnerability has been identified in NetAlertX versions v24.7.18 - v24.9.12. id: CVE-2024-48766 info: name: NetAlert X - Arbitary File Read author: s4e-io severity: critical description: | A directory traversal vulnerability has been identified in NetAlertX versions v24.7.18...

8.6CVSS6.9AI score0.68076EPSS
Exploits1References3
Nuclei
Nuclei
added 4 days ago60 views

Wavlink Multiple AP - Remote Command Injection

Wavlink products are affected by a vulnerability that may allow remote unauthenticated users to execute arbitrary commands as root on Wavlink devices. The user input is not properly sanitized which allows command injection via the "key" parameter in a login request. It has been tested on Wavlink...

10CVSS7.4AI score0.68794EPSS
Exploits1References5
Nuclei
Nuclei
added 4 days ago60 views

Atlassian Jira Confluence - Cross-Site Scripting

Atlassian Jira Confluence before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4, and from version 7.9.0 before version 7.9.2, allows remote attackers to inject arbitrary HTML or JavaScript via a cross-site scripting vulnerability in the error messa...

6.1CVSS6.8AI score0.37611EPSS
Exploits0References5
Nuclei
Nuclei
added 2026/06/28 3:8 p.m.60 views

Apache Solr <=8.3.1 - Remote Code Execution

Apache Solr versions 5.0.0 to 8.3.1 are vulnerable to remote code execution vulnerabilities through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable,...

7.5CVSS7.7AI score0.98567EPSS
Exploits12References5
Nuclei
Nuclei
added 2026/06/16 7:13 a.m.60 views

Apache Struts <=2.5.20 - Remote Code Execution

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation when evaluated on raw user input in tag attributes, which may lead to remote code execution. id: CVE-2019-0230 info: name: Apache Struts =2.5.20 - Remote Code Execution author: geeknik severity: critical description: Apache Struts 2.0.0 ...

9.8CVSS8.9AI score0.97399EPSS
Exploits15References5
Nuclei
Nuclei
added 2024/11/10 10:28 p.m.60 views

GitHub Enterprise - SAML Authentication Bypass

An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed SAML SSO authentication to be bypassed resulting in unauthorized provisioning of users and access to the instance. Exploitation required the encrypted assertions feature to be...

9.5CVSS9.3AI score0.22443EPSS
Exploits0References2
Nuclei
Nuclei
added 18 hours ago59 views

osTicket 1.15.x - SQL Injection

A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket 1.15.x allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topicid" URL parameters combination. id: CVE-2021-45811 info: name: osTicket 1.15.x - SQL Injection author:...

6.5CVSS6.9AI score0.02808EPSS
Exploits1References2
Nuclei
Nuclei
added 18 hours ago59 views

Phoenix Framework - Open Redirect

Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 contain an open redirect vulnerability, which may result in phishing or social engineering attacks. id: CVE-2017-1000163 info: name: Phoenix Framework - Open Redirect author: 0xAkoko severity: medium...

6.1CVSS6.4AI score0.0206EPSS
Exploits0References4
Nuclei
Nuclei
added 18 hours ago59 views

Aruba Airwave <8.2.3.1 - Cross-Site Scripting

Aruba Airwave before version 8.2.3.1 is vulnerable to reflected cross-site scripting. id: CVE-2016-8527 info: name: Aruba Airwave 8.2.3.1 - Cross-Site Scripting author: pikpikcu severity: medium description: Aruba Airwave before version 8.2.3.1 is vulnerable to reflected cross-site scripting...

6.1CVSS6.4AI score0.13164EPSS
Exploits5References5
Nuclei
Nuclei
added 18 hours ago59 views

AppServ Open Project <=2.5.10 - Cross-Site Scripting

AppServ Open Project 2.5.10 and earlier contains a cross-site scripting vulnerability in index.php which allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter. id: CVE-2008-2398 info: name: AppServ Open Project =2.5.11 or apply the necessary security patches...

4.3CVSS6AI score0.06232EPSS
Exploits1References3
Nuclei
Nuclei
added 18 hours ago59 views

Allied Telesis AT-GS950/8 - Local File Inclusion

Allied Telesis AT-GS950/8 until Firmware AT-S107 V.1.1.3 is susceptible to local file inclusion via its web interface. id: CVE-2019-18922 info: name: Allied Telesis AT-GS950/8 - Local File Inclusion author: 0xAkoko severity: high description: | Allied Telesis AT-GS950/8 until Firmware AT-S107...

7.8CVSS7.1AI score0.24742EPSS
Exploits2References5
Nuclei
Nuclei
added 18 hours ago59 views

OpenDreambox 2.0.0 - Remote Code Execution

OpenDreambox 2.0.0 is susceptible to remote code execution via the webadmin plugin. Remote attackers can execute arbitrary OS commands via shell metacharacters in the command parameter to the /script URI in enigma2-plugins/blob/master/webadmin/src/WebChilds/Script.py. id: CVE-2017-14135 info: nam...

10CVSS8AI score0.21842EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago59 views

MyCryptoCheckout < 2.124 - Cross-Site Scripting

The MyCryptoCheckout WordPress plugin before 2.124 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting. id: CVE-2023-1546 info: name: MyCryptoCheckout 2.124 - Cross-Site Scripting author: Harsh severity: medium description: | The...

6.1CVSS6.8AI score0.0085EPSS
Exploits1References2
Nuclei
Nuclei
added 18 hours ago59 views

Hotel Booking Lite < 4.8.5 - Arbitrary File Download & Deletion

The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server id: CVE-2023-5991 info: name: Hotel Booking...

9.8CVSS7.3AI score0.03313EPSS
Exploits2References2
Nuclei
Nuclei
added 18 hours ago59 views

CuppaCMS v1.0 - Local File Inclusion

Cuppa CMS v1.0 is vulnerable to local file inclusion via the component /templates/default/html/windows/right.php. id: CVE-2022-34121 info: name: CuppaCMS v1.0 - Local File Inclusion author: edoardottt severity: high description: | Cuppa CMS v1.0 is vulnerable to local file inclusion via the...

7.5CVSS7AI score0.03059EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago59 views

WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection

The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks. id: CVE-2023-0600 info: name: WP Visitor Statistics Real Time Traffic 6.9 - SQL Injection author: r3Y3r53,j4vaovo severity: critical description: | The...

9.8CVSS7.2AI score0.04234EPSS
Exploits2References3
Nuclei
Nuclei
added 18 hours ago59 views

Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound)

Microsoft Exchange Server contains a remote code execution caused by improper input validation in the server component, letting remote attackers execute arbitrary code, exploit requires network access to the server. id: CVE-2021-28481 info: name: Microsoft Exchange - Pre-Auth SSRF / ACL Bypass...

10CVSS7.9AI score0.83337EPSS
Exploits4References5
Nuclei
Nuclei
added 18 hours ago59 views

HotelDruid Hotel Management Software 3.0.3 - Cross-Site Scripting

HotelDruid Hotel Management Software 3.0.3 contains a cross-site scripting vulnerability via the prezzoperiodo4 parameter in creaprezzi.php. id: CVE-2022-26564 info: name: HotelDruid Hotel Management Software 3.0.3 - Cross-Site Scripting author: alexrydzak severity: medium description: | HotelDru...

6.1CVSS6.3AI score0.02708EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago59 views

WordPress WPB Show Core - Cross-Site Scripting

WordPress wpb-show-core plugin through TODO contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site...

6.1CVSS6.4AI score0.00902EPSS
Exploits1References3
Nuclei
Nuclei
added 18 hours ago59 views

node-srv - Local File Inclusion

node-srv is vulnerable to local file inclusion due to lack of url validation, which allows a malicious user to read content of any file with known path. id: CVE-2018-3714 info: name: node-srv - Local File Inclusion author: madrobot severity: medium description: node-srv is vulnerable to local fil...

6.5CVSS6.8AI score0.08632EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago59 views

Cryptocurrency Widgets Pack < 2.0 - SQL Injection

The plugin does not sanitise and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. id: CVE-2022-4059 info: name: Cryptocurrency Widgets Pack 2.0 - SQL Injection author: r3Y3r53 severity: critical description...

9.8CVSS7.2AI score0.04756EPSS
Exploits1References3
Nuclei
Nuclei
added 18 hours ago59 views

Software Publico Brasileiro i3geo v7.0.5 - Cross-Site Scripting

Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting XSS vulnerability via accesstoken.php. id: CVE-2022-34093 info: name: Software Publico Brasileiro i3geo v7.0.5 - Cross-Site Scripting author: r3Y3r53 severity: medium description: | Portal do...

6.1CVSS6.3AI score0.0225EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago59 views

EyouCMS 1.5.4 Open Redirect

EyouCMS 1.5.4 is vulnerable to an Open Redirect vulnerability. An attacker can redirect a user to a malicious url via the Logout function. id: CVE-2021-39501 info: name: EyouCMS 1.5.4 Open Redirect author: 0xAkoko severity: medium description: EyouCMS 1.5.4 is vulnerable to an Open Redirect...

6.1CVSS6.5AI score0.03604EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago59 views

Acexy Wireless-N WiFi Repeater REV 1.0 - Repeater Password Disclosure

Acexy Wireless-N WiFi Repeater REV 1.0 is vulnerable to password disclosure because the password.html page of the web management interface contains the administrator account password in plaintext. id: CVE-2021-28937 info: name: Acexy Wireless-N WiFi Repeater REV 1.0 - Repeater Password Disclosure...

7.5CVSS7.1AI score0.05266EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago59 views

WAVLINK WN579X3 - Remote Command Execution

Remote Command Execution vulnerability in WAVLINK WN579X3 routers via pingIp parameter in /cgi-bin/adm.cgi. id: CVE-2023-3380 info: name: WAVLINK WN579X3 - Remote Command Execution author: pussycat0x severity: critical description: | Remote Command Execution vulnerability in WAVLINK WN579X3 route...

9.8CVSS6.4AI score0.0388EPSS
Exploits1References3
Nuclei
Nuclei
added 18 hours ago59 views

OpenCATS 0.9.6 - Cross-Site Scripting

OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the email parameter in the Check Email function. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

6.1CVSS6.4AI score0.01333EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago59 views

EpiServer Find <13.2.7 - Open Redirect

EpiServer Find before 13.2.7 contains an open redirect vulnerability via the tredirect parameter in a crafted URL, such as a /findv2/click URL. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. id:...

6.1CVSS6.3AI score0.0474EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago59 views

WordPress Eventin (Themewinter) ≤ 4.0.26 - Arbitrary File Download

Themewinter Eventin contains a path traversal caused by relative path manipulation, letting attackers access arbitrary files on the server, exploit requires no specific privileges or user interaction. id: CVE-2025-47445 info: name: WordPress Eventin Themewinter ≤ 4.0.26 - Arbitrary File Download...

9.8CVSS7.3AI score0.0465EPSS
Exploits1References3
Nuclei
Nuclei
added 18 hours ago59 views

EyouCms v1.6.3 - Information Disclosure

EyouCms v1.6.3 was discovered to contain an information disclosure vulnerability via the component /custommodelpath/recruit.filelist.txt. id: CVE-2023-37645 info: name: EyouCms v1.6.3 - Information Disclosure author: pussycat0x severity: medium description: | EyouCms v1.6.3 was discovered to...

5.3CVSS6.1AI score0.23827EPSS
Exploits1References1
Nuclei
Nuclei
added yesterday59 views

Luracast Restler 3.0.1 via TYPO3 Restler 1.7.1 - Local File Inclusion

Luracast Restler 3.0.1 via TYPO3 Restler 1.7.1 is susceptible to local file inclusion in public/examples/resources/getsource.php. This could allow remote attackers to read arbitrary files via the file parameter. id: CVE-2017-15363 info: name: Luracast Restler 3.0.1 via TYPO3 Restler 1.7.1 - Local...

7.5CVSS7.2AI score0.13649EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday59 views

Versa Concerto API Path Based - Authentication Bypass

Authentication bypass in the Versa Concerto API, caused by URL decoding inconsistencies. It allowed unauthorized access to certain API endpoints by manipulating the URL path.This issue enabled attackers to bypass authentication controls and access restricted resources. id: CVE-2025-34027 info:...

10CVSS7.4AI score0.35993EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday59 views

WordPress Narnoo Distributor <=2.5.1 - Local File Inclusion

WordPress Narnoo Distributor plugin 2.5.1 and prior is susceptible to local file inclusion. The plugin does not validate and sanitize the libpath parameter before being passed into a call to require via the narnoodistributorlibrequest AJAX action, and the content of the file is displayed in the...

9.8CVSS7.8AI score0.4783EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday59 views

BIQS IT Biqs-drive v1.83 Local File Inclusion

A local file inclusion vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user. id: CVE-2021-394...

7.5CVSS7.1AI score0.08449EPSS
Exploits1References5
Total number of security vulnerabilities4136